New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting extended attributes in postprocess-script? #412
Comments
We only pick up I'll have to look into what the rationale was behind only allowing that (or maybe @cgwalters knows offhand). Might be reasonable to expand it at least for user attrs (would that cover your use case?). |
Thanks for the quick reply! Yeah, the one I need is in Also, I'm a little confused because another extended attribute seems to have made its way into my target tree, but it's |
Just to confirm, I patched my attribute into that array and my issue went away. Would be nice to have a less hacky solution to this upstream though 😄 |
Yeah, we do selinux labeling natively via So one thing to note here is what you're trying to do conflicts with the plan I have in ostreedev/ostree#369 (comment) - basically Can you say what the |
It's just |
Sure, would take a patch to add that. Although...IMO they should really change to at least also honor the |
I'll raise it to the PaX/grsecurity folks, thanks 😄 By patch, you mean something that whitelists exactly that attribute? I can do that. Or are you talking more broadly about whitelisting the namespace? What's the goal of that check/restriction, out of curiosity? I'm not really grasping your xattrs plan from that ostree ticket link you posted above. |
Something like this, if you want to test it:
|
Ah, that's exactly what I'm using today, minus the comments 😄 so it's already tested and works fine! |
The TL;DR on my thoughts on xattrs is I want OSTree to "seal" files such that:
|
This is in use by [PaX](https://en.wikipedia.org/wiki/PaX); see also the [Arch Linux wiki](https://wiki.archlinux.org/index.php/PaX). Closes: coreos#412
I'm trying to set some extended attributes in my
postprocess-script
withsetfattr
and am noticing that they don't seem to make it into the final tree. In mypostprocess-script
I bothsetfattr
and immediately afterwardsgetfattr
, so I can see that the extended attributes get set properly, but somehow they disappear later in the process.Is that expected to work? I see in the ostree documentation here that the repository format preserves extended attributes, but I'm not sure if
rpm-ostree
is doing something to remove my extended attributes.If this is unexpected behavior, I can put together a minimal repro.
The text was updated successfully, but these errors were encountered: